GHSA-r9jw-mwhq-wp62

Source

https://github.com/advisories/GHSA-r9jw-mwhq-wp62

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r9jw-mwhq-wp62/GHSA-r9jw-mwhq-wp62.json

Aliases

Published

2022-05-13T01:42:19Z

Modified

2023-11-08T03:58:49.234860Z

Details

In PyJWT 1.5.0 and below the invalid_strings check in HMACAlgorithm.prepare_key does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.

References

Affected packages

PyPI / pyjwt

Package

Name: pyjwt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.5.1

Affected versions

0.*

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

0.2.0

0.2.1

0.2.3

0.3.0

0.3.1

0.3.2

0.4.0

0.4.1

0.4.2

0.4.3

1.*

1.0.0

1.0.1

1.1.0

1.3.0

1.4.0

1.4.1

1.4.2

1.5.0